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Abstract. This work is a study of DES-like ciphers where the bit- 
wise exclusive-or (XOR) operation in the underlying Feistel network is 
replaced by an arbitrary group operation. We construct a two round 
simplified version of DES that contains all the DES components and 
show that its set of encryption permutations is not a group under func- 
tional composition, it is not a pure cipher and its set of encryption 
permutations does not generate the alternating group. We present a 
non-statistical proof that for n < 6 the set of n-round Feistel permuta- 
tions over an arbitrary group do not constitute a group under functional 
composition. 



1. Introduction 

The Data Encryption Standard (DES), now replaced by AES (the Ad- 
vanced Encryption Standard) as official symmetric key standard, has been 
an official US government standard for more than 20 years. DES and its 
variants are still commonly used in electronic financial transactions, secure 
data communications, and the protection of passwords or PINs [2T]. Being 
the first commonly used modern block cipher, DES has undergone several 
thorough security analyses. Components of the DES architecture are still 
the fundamental building blocks for several contemporary symmetric key 
systems. 

The full description of DES is given in [28] . but we begin describing the 
details of DES that are relevant to this paper. DES is a 16-round Feistel 
cipher acting on the space of 64-bit messages under the control of a 56-bit 
key. A description of the Feistel cipher is given in [14]. Each Feistel round 
is based on a round specific function / mapping 32-bit strings to 32-bit 
strings. The function / is derived from the round number and from an 
initial cryptographic key and involves both permutation and substitution 
operations. It has four components: 
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(1) An expansion permutation E which expands the right-half block y 
from 32 bits to 48 bits. 

(2) Key mixing which combines E(y) with the subkey ki used in round 
i by means of the bitwise-XOR operation. 

(3) Substitution which divides the block E(y)@ki into eight 6-bit blocks 
and each 6-bit block is transformed into a 4-bit block according to 
a non-linear transformation, provided in the form of a lookup table 
(S-boxes). 

(4) Permutation which rearranges the 32-bit output of the eight S-boxes 
according to a fixed permutation. 

Processing of a 64 bit block of data uses the bitwise exclusive-or (XOR) 
operation defined on 48-bit strings. The set of 48-bit strings, denoted 
{0, l} 48 , endowed with the bitwise XOR operation denoted 0, is a group. 
This group is in fact the external direct product of 48 copies of the group 
Z2, which is the set {0, 1} endowed with the binary operation of modulo 2 
addition. 

For each key k, the corresponding DES encryption operation is a function, 
say X)u, which maps 64-bit data blocks to 64-bit blocks, and thus Tf. is a 
function from {0, l} 64 to {0, l} 64 . For each key k, is a one-to-one (and 
thus onto) function from {0, l} 64 to {0, l} 64 , and thus a permutation of the 
set {0, l} 64 . We shall call the DES encryption functions DES permutations. 
The set of DES permutations is a subset of the symmetric group S 2 64 which 
has (2 64 )! elements. 

If the set of DES permutations were closed under functional composition 
(and thus a subgroup of S 2 64) then multiple encryption using several DES 
keys would be equivalent to a single encryption by a single DES key. In this 
case security features of systems like Triple-DES would not exceed that of 
DES. It has been known since the 1990's that the set of DES encryption 
permutations does not constitute a group under the operation of functional 
composition. In [7] the authors presented a statistical test to show that the 
indexed set of permutations is not closed under functional composition and 
so is not a group. 

Our work is a study of cryptosystems with DES-like architecture, but 
for which the bitwise exclusive-or (XOR) operation in the underlying Feis- 
tel network is replaced by a binary operation in an arbitrary finite group. 
The idea of replacing the XOR operation in DES with another operation 
has been considered by several authors: Biham and Shamir [4] show that 
replacing some of the XOR operations in DES with additions modulo 2 n , 
makes their differential attack less powerful. Carter, Dawson, and Nielsen 
[8] show a similar phenomenon when the XOR operation in DES is replaced 
by addition using a particular Latin Square. Patel, Ramzan and Sundaram 
|23j studied Luby-Rackoff ciphers over arbitrary finite groups. They con- 
structed a four round Luby-Rackoff cipher, operating over finite groups of 



See Chapter 8 of [15] for information on external direct products. 



A SIMPLIFIED AND GENERALIZED TREATMENT OF DES RELATED CIPHERS 3 



characteristic greater than 2, and showed that such a cipher is secure against 
adaptive chosen plaintext and adaptive chosen ciphertext attacks, has bet- 
ter time/space complexity and uses fewer random bits than the previously 
considered Luby-Rackoff ciphers based on the group Z 2 with an XOR op- 
eration. As with DES, the Luby-Rackoff cipher involves the use of Feistel 
permutations independently keyed with pseudorandom functions. 

Before our investigation there was no information on whether the set of 
encryption permutations of such systems based on a different finite group 
operation is closed under functional composition. We show that, in non- 
pathological cases, for n < 6 the set of encryption permutations generated 
by n-round Feistel permutations is not closed under functional composition. 
We must also note that we found a fairly simple deductive proof of this fact 
instead using statistical tests as in [7J. 

Knowing the order of the group generated by the encryption permutations 
is also an important algebraic question about the security of the cryptosys- 
tem. Coppersmith and Grossman have shown [11] that in principle DES-like 
components can generate any permutation of the alternating group „4 2 64 ( au 
even permutations, i.e. those that can be represented by an even number 
of transpositions). In 1983 S. Even and O. Goldreich showed that DES-like 
functions are contained within the alternating group [T3]. Furthermore, in 
1998 R. Wernsdorf [29] showed that the one-round encryption permutations 
of DES generate the alternating group, ^4 2 64 - It is still not known whether 
16-round DES permutations generate the alternating group. Using the spe- 
cial properties of the so called weak keys it has been shown in [10] that the 
set of DES permutations generates a very large group, with a lower-bound 
of 2 2499 for its size. 

In [2] it is shown how the replacement of the XOR operation in the un- 
derlying Feistel network of DES with binary operation in an arbitrary finite 
group can affect which group is generated by the n-round DES permutations. 

Since any direct analysis of DES is computationally intensive it is some- 
times not feasible to directly analyze DES. Thus, simplified analogs of DES 
have been introduced. Such simplified versions of DES were introduced by E. 
Schaeffer (called S-DES) in [25], and W. Trappe and L. Washington (called 
B-DES) in [27] . Both versions simulate the basic architecture of DES. As 
with DES, the fundamental computational structure underlying these sim- 
plified versions of DES is the group Z 2 endowed with the XOR operation. 
In [18] . J. Konikoff and S. Toplosky, showed that the group of permutations 
generated by these simplified versions of DES is in the case of S-DES the 
alternating group on 256 elements and in the case of B-DES the alternating 
group on 4096. As with DES, there was no information on whether or how 
the security of corresponding analogs of S-DES or B-DES is affected when 
the XOR operation is replaced with another group operation. 

In this paper we introduce a new simplified version of DES, which we 
call E-DES. The main innovation in E-DES is that we base it on the finite 
group Z3 with the operation of modulo 3 addition. We show that its set 
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of encryption permutations does not form a group under functional com- 
position. We show this both by giving a deductive proof of the statement, 
and by using the cycling closure test as was used in the case of DES for the 
same question. Also, we show that the group generated by the E-DES per- 
mutations is not the alternating group as it contains odd permutations. We 
gave careful attention to the known original design criteria for components 
of DES, particularly the substitution S-boxes, when we designed E-DES. We 
also show that this cryptosystem is not pure, another important property 
for the security of any cryptosystem. 

Our construction of E-DES based on Z3 can be easily adjusted to develop 
a cipher based on a finite group different from Z3 while preserving security 
features of E-DES. In particular, one can use Elliptic Curve groups in antic- 
ipation that several computationally hard problems for these groups may be 
used to further enhance the security of a DES-like cryptosystem based on 
these groups. An attempt for use of the Elliptic Curve groups in DES was 
made in p], but unfortunately not as replacement of the bitwise operation 
in the underlying Feistel network. 

This paper is organized as follows: In Section 2 we state several definitions 
and give a general description of block ciphers based on multiple round 
Feistel networks. In Section 3 we describe a technique of constructing Feistel 
functions. In Section 4 we give the specifics of the design of our instance 
of E-DES and give an example of an encryption in this system. In Section 
5 we describe the cycling closure test and how it can be used to address 
various questions about the algebraic structure of any finite cryptosystem. 
Our results based on these tests address the question of whether the E-DES 
encryption permutations constitute a group under functional composition, 
whether the cryptosystem is pure and which group is generated by such 
cryptosystems. In Section 6 we address these and other group theoretic 
properties concerning of Feistel based block ciphers in general. 

2. Definitions and Notation 

We follow the notation and terminology of [16]. A cryptosystem is an 
ordered 4-tuple (A4, C, /C, T) where M., C, and K, are called the message 
space, the ciphertext space, and the key space respectively, and where T : 
A4 x fC — > C is a transformation such that for each k E K, the mapping 
Tfc : A4 — > C is invertible. 

For any cryptosystem II = (M., C, /C, T), let 7n = {T k ■ k € /C} be the 
set of all encryption transformations. In addition, for any transformation 
T k e T, let 77 1 denote the inverse of 2\. In a cryptosystem where A4 = C 
the mapping is a permutation of Ad. We consider only cryptosystems 
for which A4 = C. The set of all permutations of the set A4 is denoted S_m- 
Under the operation of functional composition Sm forms a group called the 
symmetric group over A4. The symbol (7n) denotes the subgroup of Sm 
that is generated by the set Tu- 
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A cryptosystem II is called closed if its set 7n of encryption transforma- 
tions is closed under functional composition i.e for every k±, J$2 G JC there is 
ks G /C such that T^T^ = Tfc 3 . By Theorem 3.3 from [H] II is closed if and 
only if its set of encryption transformations 7n is a group under functional 
composition. Thus, the cryptosystem II is closed if, and only if, 7n = (7n)- 

In [26] Shannon generalized the idea of closed cipher. A cryptosystem is 
pure if and only if for every three keys k±,k2, and k^ there exists a key k^ 
such that T^Tj^T^ = Tfc 4 . One can show that II is pure if and only if 
for every T G Tu the set T _1 7n = {T~ x T k : k G K,} forms a group under 
functional composition. It is known that every closed cryptosystem is pure, 
but not every pure cryptosystem is closed. 

To analyze the algebraic properties of Feistel based ciphers it is also useful 
to introduce the following definitions about permutation groups. For any 
subgroup S C Sm, for any m G A4, the set orbs(m) = {(ft(m) : (j) G S} is 
called the orbit of m under S. The set stabs(m) = {(j) G S : <p(m) = m} is 
called the stabilizer of m in S. In Section 5 we will make use of the following 
well-known theorem. 

Theorem 1. Let S be a finite group of permutations of a set M. Then for 
any m G M , 

| S | = | orbs(m) \ ■ \ stabs(m) \ 

3. Feistel Networks 

A multi-round block cipher is a cipher involving the sequential applica- 
tion of similar invertible transformations (called round functions or round 
transformations) to the plaintext. All round transformations are usually 
key-dependent and the transformation of round i obtains its own subkey 
ki which is derived from the cipher key k using a key-schedule algorithm. 
Feistel networks constitute an important design principle underlying many 
block ciphers, including DES. They were described first by Horst Feistel 
during his work at IBM on the cipher Lucifer [14] . 

Definition 1. Let (G, 0) be a finite group. For a function f : G* — > G l the 

function o/ : G 2t — > G 2t defined by 0/(x, y) = (y,x® /(?/)) is called a Feistel 
function. 

A Feistel network consists of repeated applications of Feistel functions 
with different round functions / used in each round. By definition, a Feistel 
network with n-rounds is the permutation function 

*2t(/l> /2, ' ' ' , fn) = 0-/2 ° • • • 0-/ n 

Typically, the round functions are chosen to be highly nonlinear key- 
dependent functions with good diffusion. A standard way to provide these 
properties for the round functions is to use a substitution structure (S- 
boxes) . 
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Let F t (G) be the set of all functions / : G* -> G*. The set F t {G) admits 
some operations. For / and g in Ft(G) we define / g so that for each 

(fog)(y) = f(y)®g(y). 

The symbol "©" above denotes the group operation of the product group 
G l . Now (F t (G), 0) is a group. Additionally, the functional composition 
operation o on Ft(G) will be featured. 

A random Feistel network with n rounds, is a Feistel network in which 
the round functions /i, • • • , f n are randomly and independently chosen func- 
tions form the set Ft(G). These networks are also known as "Luby-Rackoff 
constructions with n rounds". 

Lemma 2. Let (G, ©) be a finite group. For each function f € Fj(G) the 
Feistel function at is a permutation of the set G* x G f . 

Thus, for each function / € Ft(G), the Feistel function o~f is a member of 
S\Qat\, the permutation group of the finite set G l x G t . 

3.1. Feistel functions derived from S-boxes. In several practical imple- 
mentations of Feistel network based cryptosystems, including classical DES, 
the members of Ff(G) are constructed in a very specific way from an input 
key parameter, and a selected set of substitution tables called S-boxes. Much 
of the security of a block cipher based on a Feistel network depends on the 
properties of the substitution boxes (S-boxes) used in the round function. 
The DES S-boxes are reported to have been designed to conform to a num- 
ber of criteria as they are the part of the system where the cipher function 
gets its security. For more details on the properties of the S-boxes used in 
DES, see for example [10], [5], [6] and [9]. In this section we describe the 
design of functions / : G l — > G l where G is some finite group, from S-boxes. 

An S-box is a lookup table with k = \G\ l rows and m = \G\ 3 columns. 
The entries of an S-box will be conceived of as j-nit sequences over G. Let 
n such S-boxes be given. The function / constructed from these n S-boxes 
must be a function from G l to G 1 . Thus, the inputs of the function / will 
be a t-nit sequence of group elements. 

This input is used to construct an output from the n S-boxes by reading 
off from this input an S-box number and row-number and column-number 
for that S-box, and then using the entries in these positions of the indicated 
S-boxes to construct the output. There are several approaches to indicating 
the S-boxes. 

We require that all n S-boxes are "active" in constructing the value of 
the function /. Thus, from the t-nit input we must read for each of the n S- 
boxes the corresponding row- and column-information. Note that from our 
specification of the S-box dimensions above, the row number can be coded 
as an i-nit string of elements of G, while the column number can be coded 
as a j-nit string of elements of G. Thus, to specify a row and column we 
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Figure 1. Calculation of f(R,K) 



use an (i + j)-nit string, plus a convention indicating which i of these nits 
to use in which specific ordering to select the row, and what ordering on the 
remaining j-nits to use to select the column. Let such a row/column number 
convention be fixed. To keep the selections from the .S-boxes independent 
of each other, we use an (i + j)-n-nit string derived from the input element 
of G*, a i-nit string. The output is obtained by concatenating the n input- 
indicated j-nit entries from each of the S-boxes, thus obtaining a (j-n)-nit 
output. Thus, we require that t = j-n. 

Since t < (i + j)-n, we expand the i-nit input using a carefully chosen 
expansion function 

The other input parameter to the S-box is an (i+j)n-mt key, K. This key 
and E(R), the expansion of the t-nit string R, is then used to construct the 
input to the S-box. The input to the S-box is K@E(R) where the operation 
© is the nit-wise group operation on the product group G^ i+ A The (i+j 
nit quantity K © E(R) is separated into n blocks of consecutive (i + j)-nits 
each, with string number s designated as the row/column selection code for 
S-box number s. 

The output is obtained by concatenating the j-nit entries from each of 
the S-boxes in canonical order to obtain a t-nit (t = j-n) output. Figure ?? 
illustrates this construction based on three S-boxes. 

4. A SIMPLIFIED DES CIPHER BASED ON Z 3 

We define a simplified version of DES, called E-DES, by declaring the 
message-space M. and the ciphertext space C to be M. = C = {0,1, 2} 18 , 
and by declaring the key space K to be K = {0, 1, 2} 20 . Figure [2] illustrates 
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Plaintext (18 nits) 




Ciphertext (18 nits) 



Figure 2. E-DES structure 



the overall structure of this simplified DES cipher and Figure ?? illustrates 
the round function /. 

The inputs for the E-DES encryption algorithm are an 18-nit block of 
plaintext (example: 110120121220120121) and a 20-nit key. The algorithm 
produces an 18-nit block of ciphertext as output. For a fixed key k the 
function derived from the S-boxes as described before takes as input the 
data passing through the encryption algorithm and a 15-nit subkey. The 
mapping defined from the key k by the E-DES encryption algorithm 
involves the sequential application of functions and can be expressed as 

T k = P^ 1 o 9 o afk2 o afki o P. 

where 9 is the "swap" function 

8(x,y) = (y,x) 

from Zf to Zf. 

Note that 9 = _1 . Recall that (/ o g^ 1 = g~ l o f~ l . Then the 
decryption algorithm can be expressed as 

T," 1 = P- 1 o (T7 1 o (jT 1 o o P. 

« /fei /fe 2 

The inverse of aj 1 , i = 1, 2 is 

j fej 

where is the operation subtraction modulo 3, the inverse group operation 
in Z3. 
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The quantity k\ is a 15-nit subkey of the input key k and is derived from 
k using the compression permutation 

CP\ = ( 16 17 12 15 20 10 11 3 7 19 13 9 8 1 18 ) 

Similarly, k% is a subkey of k obtained from k by using the compression 
permutation 

CP2 = ( 6 7 2 20 4 3 9 8 18 10 15 14 11 12 5 ) 

We shall now describe each of the functions constituting the encryption 
permutation T^. Following this description, we illustrate the algorithm by 
going through the individual steps using an explicit input plaintext and an 
explicit input key. 

4.1. Initial and Final Permutations. The input to the algorithm is an 
18-nit block of plaintext which is first permuted using the permutation 

p _ I 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 \ 
r ~ V 11 12 2 13 9 1 5 8 16 17 4 18 15 7 10 3 6 14 > • 

For example, the initial permutation moves nit in position 6 of the plain- 
text to position 1, the nit in position 3 of the plaintext to position 2, the nit 
in position 16 of the plaintext to position 3, and so forth. 

The final permutation is the inverse of P, and is the permutation 

p-l _ I 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 \ 
r ~ \ 6 3 16 11 7 17 14 8 5 15 1 2 4 18 13 9 10 12 ) • 

The initial permutation P and the corresponding final permutation P^ 1 
do not affect the security of the cryptosystem. 

4.2. The Expansion Permutation. This operation expands the right half 
of the 18-nit data-block being processed from 9-nits to 15-nits by changing 
the order of the nits as well as repeating certain nits. This operation has 
two properties: It makes the right half the same size as the subkey for the 
®mod 3 operation and it provides the appropriate length nit-sequence for use 
during the substitution operation. The expansion permutation is given by 

£'=(912345634567891). 

4.3. The S-box substitution. The most fundamental encryption step in 
E-DES, directly impacting the security of E-DES, is the application of the 
substitution boxes, or S-boxes. There are three different S-boxes. Table 2 
shows these three S-boxes. To achieve the "non-linearity" property and the 
randomness of the output we used the following criteria in the design of the 
S-boxes: 

(1) No S-box is a linear or affine function of the input. 

(2) Each "row" of an S-box contains all possible outputs. 

Note that the entries displayed in Table 2 are ordinary integers between 
and 26. Each S-box transforms a 5-nit input to a 3-nit output as follows: 
The 15-nit result of the expansion permutation is divided into three 5-nit 
sub-blocks. Each separate block is the input for a separate S-box: The first 
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block is input for S-box 1, the second block is input for S-box 2 and the 
third block is input for S-box 3. 

Each S-box is a table of 9 rows and 27 columns. The rows are numbered 
by through 8, while the columns are numbered by through 26. Each en- 
try in the 9-by-27 S-box is, when expressed in base 3, a 3-nit number. The 
5-nit input of an S-box specifies the row and column number of the S-box 
entry that is the output for that input. This is done as done as follows: Let 
rai, n2,ra3,n4, and 715 be the 5 nits of input listed in order of occurrence in 
the input. Nits n\ and 715 are combined to form 2-nit number in base 3, cor- 
responding to one of the decimal numbers from to 8: This decimal number 
specifies a row number in the S-box under consideration. The middle 3 nits, 
712,713,714 are combined to form a 3-nit number in base 3, corresponding to 
one of the decimal numbers from to 26: This decimal number specifies 
a column in the S-box under consideration. Here 00 corresponds to row 1, 
and 000 corresponds to column 1. 

For example, suppose that the input to the second S-box is 22010. The 
first and the last nit combine to form 20, which corresponds to row number 6, 
which is by our convention the seventh row, of the second S-box. The middle 
3 nits combine to form 201, which correspond to the number 19, indicating 
by our convention the 20-th column of the same S-box. The entry at the 
intersection of the seventh row and twentieth column of S-box 2 is 11. Since 
102 is the base 3 representation of 11, the 3-nit value 102 is the output from 
S-box 2, given the 5-nit input 22010. 

4.4. An example of an encryption using E-DES. We now describe 
how E-DES encrypts the 18-nit message m = 012012012012012012 by using 
the 20-nit key k = 11012012122012012110. 
Apply initial permutation P to m: 

mi = P( m ) = 121020110102200221. 

The right half of mi is 

m 2 = R{mi) = 102200221. 
Apply the expansion map E to 777.2: 

m 3 = E{m 2 ) = 110220022002211. 
Apply the key compression map CP\ to k: 

k x = CPi(fc) = 120002201111211. 
In Z3 5 add 7773 and k\\ 

m 4 = ma © k! = 110220022002211 © 120002201111211 = 200222220110122. 

Note that the group operation © here is nit-wise addition modulo 3. 
Partition 7774 into three 5-nit blocks before processing to the S- 
boxes. Then the block 20022 becomes an input in S-box 1, 22201 an input 
in S-box 2 and the last 5-nit block 10122 becomes an input in S-box 3. 
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Determine the 3-nit output of each S-box: 

S-box 1: The first and last nits of this block form 22, which corresponds to 
row number 8, the ninth row. The middle three nits form 002, which corre- 
sponds to column number 2, which is the third column. The entry in row 
8, column 2 of S-box 1 is the decimal number 20. The base 3 representation 
of 20 is 202, so the output for S-box 1 is 202. 

S-box 2: The second S-box input is 22201. The first and last nits of this 
block form 21, which corresponds to row number 7, which is the eight row 
of S-box 2. The middle three nits form 220, which corresponds to column 
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number 24 which is the twenty-fifth column of S-box 2. The entry in row 7, 
column 24 of S-box 2 is the decimal number 5. The base 3 representation 
of 5 is 012, so the output for S-box 2 is 012. 

S-box 3: The third S-box input is 10122. The first and last nits of this 
block form 12, which corresponds to row number 5, which is the sixth row 
of S-box 3. The middle three nits form 012, which corresponds to column 
number 5, which is the sixth column of S-box 3. The entry in row 5, column 
5 of S-box 3 is the decimal number 19. The base 3 representation of 22 is 
211, so the output for S-box 3 is 211. 

Determine the 12-nit output from the S-boxes: 

Concatenating these three S-box outputs in order gives the combined 
output 

m 5 = 202012211. 

In the group Z3, add 7715 to the left half of mi: The left half of mi is 
m 6 = 121020110. This step gives 

m 7 = m6 e m5 = 020002021 

Combine m 2 and mi by left-right swap: 

d = e(m 7 ,m 2 ) = 102200221020002021 

This completes the first of the two Feistel rounds of E-DES. The right half 
of ei is e 2 = R{ei) = 020002021. 

Apply the expansion map E to e 2 : 

e 3 = E(e 2 ) = 102000200020210. 
Apply the key compression map CP 2 to k: 

k 2 = S 2 (k) = 011010121202202. 

In Z3 5 add e% and k 2 : 

e 4 = e 3 k 2 = 102000200020210 011010121202202 = 110010021222112. 

Partition e± into three 5-nit blocks. Then the block 11001 becomes an 
input in S-box 1, 00212 an input in S-box 2 and the last 5-nit block 22112 
becomes an input in S-box 3. 
Determine the 3-nit output of each S-box: 

S-box 1: The first and last nits of this block form 11, which corresponds 
to row number 4, the fifth row. The middle three nits form 100, which cor- 
responds to column number 9, which is the tenth column. The entry in row 
4, column 9 of S-box 1 is the decimal number 2. The base 3 representation 
of 2 is 002, so the output for S-box 1 is 002. 

S-box 2: The second S-box input is 00212. The first and last nits of this 
block form 02, which corresponds to row number 2, which is the third row 
of S-box 2. The middle three nits form 021, which corresponds to column 
number 7 which is the eighth column of S-box 2. The entry in row 2, column 
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7 of S-box 2 is the decimal number 8. The base 3 representation of 8 is 022, 
so the output for S-box 2 is 022. 

S-box 3: The third S-box input is 22112. The first and last nits of this 
block form 22, which corresponds to row number 8, which is the ninth row 
of S-box 3. The middle three nits form 211, which corresponds to column 
number 22, which is the twenty-third column of S-box 3. The entry in row 
8, column 22 of S-box 3 is the decimal number 23. The base 3 representation 
of 23 is 212, so the output for S-box 3 is 212. 

Determine the 12-nit output from the S-boxes: 

Concatenating these three S-box outputs in order gives the combined 
output 

e 5 = 002022212. 

In the group Z3, add es to the left half of e\\ The left half of e\ is 
e 6 = 102200221. This step gives 

e 7 = e 6 e 5 = 101222100. 

Concatenate cj and e 2 to form e-je^ 

e 8 = e 7 e 2 = 101222100020002021. 
Apply the final permutation, P _1 to eg: 

c = P'\e 8 ) = 210212002210210000. 

Now c = 210212002210210000 is the ciphertext output when E-DES is 
applied to the input plaintext m = 012012012012012012, using the key 
k = 11012012122012012110. 

5. Cycling closure experiments on simplified Feistel networks 

over certain finite groups 

We give a general overview of the cycling closure test. The cycling closure 
test can be used to address various questions about the algebraic structure 
of any finite cryptosystem. The test was used in [7] and in [TO] to give a 
conclusive proof that the set of permutations in the classical DES is not 
closed and to determine the lower bound on the size of the subgroup gener- 
ated by the DES permutations. We performed this test on several simplified 
versions of DES over certain finite groups. 

Assume that the subset 7n of the group Sym^i is closed under compo- 
sition. Then for any key k € K the order of the encryption permutation T\. 
divides the order of 7n- Recall that |7n| < Thus, in particular, the 
order of Tj- is no larger than \]C\. By the Orbit-Stabilizer theorem it follows 
that for any message x € M. we have |orb^ fc )(x)| divides the order of the 
cyclic group (Tfc), and thus 

|orb (Tfe) (m)| < \K\. 
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More generally, for messages x%, X2, ■ ■ ■ , x m we have 

lcm{|orb/r fc \(xj)| : i < to} < \K\. 
If it happens that for a key k and messages x±, ■ ■ ■ , x m 

IcmHorb^^Xj)! : i < to} > \K\ 

then we have that 7n is not closed and therefore not a group. 

Thus to test a cryptosystem for some algebraic weaknesses such as closure 
and purity one has to examine the orbits of subsets of encryption transfor- 
mations on particular messages. The method is to compute the orbits of 
single encryption and to apply the cycling closure test to subsets of two or 
more encryption transformations. The cycling closure test picks an initial 
message m at random and then takes a pseudorandom walk in Tij, beginning 
at to. For each step of the pseudorandom walk, the previous ciphertext is 
encrypted under a key chosen by a pseudorandom function of the previous 
ciphertext. The walk continues until a cycle is detected. By the Birthday 
Paradox the walk is expected to cycle after approximately | 7n l 1 ^ 2 steps. 

Recall the definition of purity of a cryptosystem. To determine the purity 
of the cryptosystem using the cycling closure test we first need show the 
following statement. 

Lemma 3. A cryptosystem H is pure if and only if for some T G 7n the 
set T _1 7n = {T _1 o : k G /C} is closed under functional composition. 

Proof: Let T G 7n be an encryption permutation for which the set T _1 7n 
is closed under functional composition. Then, for each Ti,Tj € 7n and each 
T G 7n there exist G 7n such that (T -1 o Tj) o (T" 1 o Tj) = T _1 o T^. 
But, then 

T o (T" 1 o Ti) o (T- 1 o Tj) = T o T- 1 o T k 

or Tj o T _1 o Tj = Tfc which means that II is pure. 

Now, let assume that II is pure. Then for each T, Tj, T k G 7n there exists 
T G 7n such that T o TJ X oT^ = T\. But, then for each T G 7n, 

(T- 1 o Ti o Tr 1 ) o (T- 1 o T k ) = T- 1 o Ti 

This implies that for some T G 7n the set T _1 7n is closed. 

5.1. Orbit Test. Given any key k and any message to, compute Xi = 
Tl(m), i = 1, 2, • • • for a specified numbers of steps or until a cycle is de- 
tected. 

5.2. Purity Test. Pick any encryption T G 7n and apply the cycling clo- 
sure test to the set T -1 o 7n- 
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5.3. Small Subgroup Test. Pick any keys ki,k2, - ■ ■ k s and any message 
m apply the cycling closure test to the set {T^ 1 , T^ 2 , • • • , } T £ 7n to 
obtain a statistical lowerbound of the group (T/ Cl , T^ 2 , ■ ■ ■ , Tk s ) ■ 

We developed a software to implement these tests on a 2-round simplified 
version of DES with two randomly chosen S-boxes where the group operation 
is addition modulo n for n E {2,3,5,7,11}. Tables 2-4 give a through 
description of our cycling experiments. The tests give a conclusive proof to 
the following theorems. 

Theorem 4. For a fixed pair of S-boxes and for n £ {2, 3, 5, 7, 11} the set 

of encryption permutations of a 2-round simplified version of DES over Z n 
is not closed under functional composition. 

Theorem 5. The simplified cipher E-DES is not pure. 

Theorem 6. The group generated by the E-DES encryptions is larger than 

|<S49 I • 

6. Some group theoretic properties of 
feistel based block ciphers 

In |19| it was shown that the Luby-Rackoff constructions with 4 rounds 
based on the XOR operation are secure against adaptive chosen plaintext 
and ciphertext attacks. These results are based on the rather strong hypoth- 
esis that the round functions are random. In |24j it was shown that when 
the round functions are random permutations, a 4-round Feistel network 
remains secure as long as the number of queries m is very small compared 
with 2 1 / 2 (i.e. m <C 2*/ 2 ) where 2t is the block size. One way to improve the 
security of these type of Feistel networks is to use multiple encryptions. 

We show that the n-round Feistel networks, n < 6 with one-to-one round 
functions " do not form a group" i.e. the set of such Feistel permutations do 
not form a group under functional composition. This implies that multiple 
encryptions can improve the security of the 4-round Feistel networks even 
when the round functions are random permutations. 

Theorem 7. Let G be a finite group with \G\ > 1 and let t be a positive 
integer. Let X C F t (G) be a set of functions f : G l — > G l that does not 
include the identity element. If each element of X is one-to-one then for 
n < 6 the set of permutations of the form VP (/i, fi-, • • • , f n ) where each 
fi, i <n is from X is not a subgroup of S\Q2ty 

Proof: We prove the statement for n = 6. The proof for n < 6 is 
similar. Consider the set of all permutation of the form x I /2t (/i, /2, • • • , fe). 
Assume that this set is a group under composition. Then some e must be 
the identity element of S\Q2ti. This means that for some fixed / € X, for all 
(x, y) G G 1 x G*, we have vP 2 *(/i, f 2 , ■ ■ ■ , f&){x, y) = (x, y). But then for all 
x,y € G l we have 
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(1) My) + h(y + h{* + h{y)) + My + A(* + My)) + U(x + f l ( y )+ 

+/ 3 (y + / 2 (/ + /i(y)))) = o 

and 

(2) f 2 (x + h{y)) + U{x + fi(y) + f 3 (y + f 2 (x + fi(y))) + h(y) = 
Put x = —fi(y) in [1] and [2] to get 

(3) AGO + My + A(o)) + My + A(o) + MMy + A(o))) = o 

and 

(4) A(o) + MMv + A(o))) + My) = o 

After substituting S] into [3] and then setting y = we get 

A(o) + A o f 2 (x + A(o)) + A o (-/ 6 )(0) = o 

Thus, A° A i s a constant function. Since A £ ^t(G) is one-to-one function 
one concludes that A m ust be a constant. But this contradicts the fact that 
A is a one-to-one function^. 

Generalizing classical DES, we now define for the finite group G and 
positive integers t and n, n-round DES over G, denoted GDES^: For given 
functions fi, ■ ■ ■ , f n the corresponding n-round GDES^ permutation T n 
over the finite group (G, ©) is the composition 

T n = P- 1 o0o a fn o o- /ft _ 1 o---o(T fl oP 

of permutations, where 9 is the "swap" function 

6{x,y) = (y,x) 

from G 2 * to G 2t and P is a member of «S|g2t| and P _1 its inverse. These are 
the initial and final permutations used in GDES^- In this notation classical 
DES is Z 2 DES^. 

Note that 6 = Q~ x . In the case when the underlying group G in GDES^ 
is a group of characteristic 2, <jf = aj 1 . For arbitrary finite groups, 

o] l {x,y) = (xQf(y),y), 

where © is the inverse group operation x © y = x © (— y). Hence, in general, 
the decryption process applies the key schedule in the reverse order, with © 
used instead of ©; that is, 

T~ x = P~ l o o-T 1 o • • • o o-T 1 o 9 o P. 

n Jl Jn 

Also, note that if the round functions fi, ■ • ■ , f n are randomly and inde- 
pendently chosen functions then 

T n = P~ l o 9 o ^™ o P 



Observe that the theorem can be strengthened by requiring only that /a is a one-to-one 
member of F t (G), and f$ is a non-constant element of F t (G). 
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For a fixed set X C F t (G) of functions, GDES^(X) denotes GDES& 
where the functions used in constructing the GDES^t permutations are re- 
stricted to come from X. We consider the effect of structure of subsets X of 
((Ft(G), 0), o) on the corresponding set of GDES^-X") permutations. Note 
that the initial and final permutation, P and P _1 do not affect the algebraic 
structure of GDES^ and therefore they can be omitted when examining its 
algebraic properties. 

Theorem 8. Let G be a finite group. Let X C F((G) be a set of functions 
that does not include the identity element of (Ft(G),Q). Then 

(1) The set of GDES^X) permutations is not a subgroup of S\Q2t\. 

(2) The set of GDES^PO permutations is not a subgroup of S\Q2t\. 

Proof: 

Consider GDES^X): Assume that the set {e(x, y) = (x © f(y),y) ■ 
f G X}, is a group under composition. Then some e must be the identity 
element of «S|g2t|. This means that for some fixed / G X, for all (x,y) G 
G* x G", we have (x © f(y),y) = (x,y). But then for all y in G*, f{y) = e, 
the identity element of G t , whence / is the identity element of (Ft(G),©). 
This contradicts the fact that X does not include the identity element of 
(Ft(G),0). 

Next, consider GDES^(X): Assume that the set of all GDES^X) per- 
mutations is a group under composition. Then there are functions f\, fi G 
X such that e = 6 o o~f 2 o aj x is the identity element of S\Q2t\. Then for each 
(x,y) G G* x G\ 

x = x © /i (y) and 
y = y® f2{x® h{y)). 

But then for all x and y in G', /i(y) = ^C^) — e ; the identity element of 
G*, whence /i and f2 are the identity element of (F 4 (G), ©). This contradicts 
the fact that X does not include the identity element of (Fj(G), ©). <D 
Clearly this deductive argument improves Theorem[3]which was proven using 
a computational method. 

Corollary 9. For any pair of S-boxes and for n G {2, 3, 5, 7, 11} the set of 

encryption permutations of a 2-round simplified version of DES over 7L n is 
not closed under functional composition. 

Using similar techniques we have shown that the set of GDES^(X) per- 
mutations for n < 6 do not constitute a group under functional composition. 

Theorem 10. Let G be a finite group and let t be a positive integer. If 
X C F^(G) is the set of all one-to-one functions X C F^(G) then the set of 
GDES% t (X) permutations for n < 6 is not a subgroup of S\c 2t \ 

The following corollary is an immediate consequence of the previous two 
theorems. 
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Corollary 11. For each of B-DES, S-DES and E-DES, the corresponding 
set of encryption permutations does not constitute a group under functional 
composition. 

Definition 2. The characteristic of the group (G, 0) is the least positive 
integer n such that for each x € G we have nx = e. 

Assuming that the group has characteristic 2 and that the set of GDES^ -2 
permutations does not contain the identity element of 5jg2t| we can extend 
the previous result to n > 6 (Theorem [12]) . This partially answers the ques- 
tion from |16] whether the set of encryption permutations in classical DES 
contains the identity element. Note that showing that the set of GDES^ 
permutations does not contain the identity element implies that it is also 
not closed under functional composition. 

Theorem 12. Let G be a finite group of characteristic 2. If for each 
instance GDES^ -2 the set of GDES^ -2 encryption permutations does not 
contain the identity element of <S|c? 2 *| » then for each instance of GDES^ 
the subset of GDES^ encryption permutations for which f\ = f n is not a 
subgroup of S\Q2t\. 

Proof: 

Recall that! GDES^ permutations are of the form 
e n = 0oa fn o ajn _ x o • • • o a h o a fl . 

Let (xi,yi) denote ti(x,y) for (x,y) € G l x G* and 1 < i < n. Assume that 
the subset of GDES^ permutations for which f\ = f n contain the identity 
element of S\Q2t\ . 

Fix an instance of GDES^ for which there is a key giving rise to the 
sequence (/i, • • ■ , f n ) of round functions such that f\ = f n , and the corre- 
sponding GDES^ encryption permutation is the identity function. Also fix 
a key k giving rise to such a sequence (/i, • • ■ , f n ) of round functions. Thus, 
for all x, y £ G l x G l we have e n (x, y) = (x, y). 

Note that from this instance of GDES^ we can define an instance of 
GDES^ 1 so that the key schedule of the latter is related as follows to the 
key schedule of the former: For the given key if {k\ , * * * , k n ) are the n 
round keys of GDES^, then (k[, • • • , k' n _\) are the corresponding round keys 
for GDES^" 1 , where k[ = k i+1 for 1 < i < n. 

Then we can write e n = e' n _ 1 ocj/j where ej l _ 1 = Ooaf n oaf n _ 1 o£j/ 3 o...oa/ 2 
is the corresponding GDES^ -1 encryption permutation arising from the key 
k. For convenience, write (x n _i,y„_i) for e^_ 1 (x,y). 

Since we assumed that e n is the identity function we find that e' n _ 1 = aj^ , 
i.e., for all x and y in G l , 

( 5 ) ^ n -i(x,y) = (ye fi(x),x) 

^Note that the initial and the final permutation don't affect the algebraic structure of 
GDESot 
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On the other hand we can write e^„ 1 (x, y) = 9oa f n o8oe' n _ 2 {x, y)i where as 
before e' n _ 2 is a corresponding GDES^ -2 encryption permutation obtained 
from the key k using the ideas above to define an instance of GDES^ -2 from 
the instance of GDES^ -1 - Note that for all x and y in G t , 

(6) 0oa fn o6(x,y) = (y®f n (x),x). 

From equations ([5]) and © we see that for all x and y in G we have, 
setting e' n _ 2 (x,y) = (x n _ 2 ,y n _ 2 ), that 

(V Q fl(x),x) = {y n ~2 ® f n {Xn-2),Xn-2)- 

Thus, for all x and y in G we have that x n _ 2 = x , and y Q fi(x) = 
Un-2 © fn(x). Since we assumed that f\ = f n and that the group has 
characteristic 2, we find that for all y £ G t , y n -2 = V- But then the 
encryption permutations of this instance of GDES^ -2 contain the identity 
element of S\Qit\. This establishes the contrapositive of the theorem. 

In [2] we show when the group generated by the ra-round GDES^ permu- 
tations, where the underlying Feistel network based on the binary operation 
of G contains odd permutations. 

Theorem 13. [2] Let G be a finite group and let n be positive integer. 
If | G |*= 2, 3 mod 4 and t is odd then the group generated by the set of 
GDES^ encryption permutations is not a subgroup of A\q2u. 

Corollary 14. The subgroup of S 3 is that is generated by the set of E-DES 

permutations is a group that contains as many even permutations as odd 
permutations. 

Based on several asymptotic results that appear in the literature ( [3], 
[12] . or [20]) about generating the alternating group or the symmetric group 
we make the following conjecture. 

Conjecture 1. The group generated by the set of E-DES permutations is 

S 3 1S. 

Theorem 15. Let G be a subgroup of the finite group H . If there is 
an S-box set for G such that the corresponding set of GDES^ encryption 
permutations do not constitute a group, then there is an S-box set for H 
such that the corresponding set of HDES 2 ^ encryption permutations do not 
constitute a group. 

Proof: Let S-boxes Si,-- - , S n for GDES^ be given such that the set 
of encryption permutations of GDES| t defined from these S-boxes does not 
constitute a group under composition. We may assume that t = j-n, while 
round key lengths are (i + j)-n. Thus each of these S-boxes has \G l \ rows 
and \G 3 \ columns. Each of the row entries is an element of G 3 . We may 
assume that each of the \G\ l rows is indexed by an element of G l and each 
of the \G\ 3 columns is indexed by elements of the set G 3 . 
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Now expand each S-box S p to an S-box R p as follows: Adjoin \H l \ — \G l \ 
additional rows, and \H 3 \ — \G 3 \ additional columns to obtain an |fP|-by- 
\H 3 \ array such that the top left |G 4 |-by-|G J | corner is the given S-box S m , 
and the remaining entries are all from H 3 \ G 3 . The additional rows are now 
indexed by elements of H l \G l , and the additional columns are indexed by 
elements of H 3 \ G 3 . 

Claim: The set of HDES^ permutations arising from the S-boxes R±, ■ ■ ■ ,R 
does not constitute a group under functional composition. 

For assume the contrary. Let k\ and A?2 be GDES^j keys such that T^T^ 
is not of the form Xfc 3 for some GDES^ key k%. Observe that the set of 
GDES^ keys is subset of the set of HDES^t keys, and that the set of GDES^ 
plaintexts is a subset of the set of HDES| t plaintexts. 

By our hypothesis there is an HDES| 4 key k, fixed from now on, such that 

Tk 2 Tk 1 = Tk- 

By the choice of the keys k\ and &2 it follows that k has an entry from H\G. 
It also follows that there is a plaintext m € G 2t such that during encryption 
of m using T^, in some of the two Feistel rounds an entry of k which is in 
H \ G is used, for otherwise we may modify k so that all entries are from G 
and still have T^T^ = T^, contradicting the choice of k\ and k2- 

Encryption of m by Tfc 2 T/ Cl : Let ni£ denote the left half of m and let m r 
denote the right half of m. Consider E(m r ), the expansion of m r , used in 
specifications of the encryption algorithm GDES^ in use. 

In round 1 of we see that the first step is m\ = E(m r ) © k\ where k\ 
is the first round subkey. Now all {i + j) ■ n entries of m\ are elements of 
G, and thus point to entries of the S-boxes Si, ■ ■ ■ , S n , so that the output 
of this round is another element, e\, of G 2t . Completing the second round 
of T/ Cl produces an element e\ of G 2t , which is input of Tfc 2 . By similar 
considerations the result of applying Tk 2 to e\ is the element T^T^im) of 
G 2t . 

Encryption of m by Tj,: Now consider the destiny of m under the encryption 
permutation T^. By our earlier remark about the use of entries of k during 
the encryption process, for some round j < 2, the round key k J has an entry 
in H \ G which is used in that round. Let j denotes the first round when 
this occurs. 

Case 1: j— 1. The input to round lism£ G 2t . With E(m r ) the expansion 
of the right half to an (i + j)-n sequence from G, m 1 = E(m r ) © k 1 has an 
entry from H \ G as it is a group element of H obtained from the group 
operation of an element of the subgroup G with an element not in G. But 
then m 1 points, for some S-box R p either at a row beyond the |G J |-th, or at 
a column beyond the | C-^ |-th. By the construction of the expanded S-boxes 
over H, the return from this S-box consists of j-nits from H 3 \ G 3 , and thus 
the output from this step is e\, which has n ■ j nits, and one of the n blocks 
of consecutive nits has an entry from H \G. The output from this round 
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then is of the form a list of length 2-t with first t entries m r , the right half 
of the original message, a member of G l , and mi © e\ which is a member 
of H* \ G t . After the second round of the encryption using the key k we 
find that the right half of the output ciphertext still is © e\, and so the 
result of the encryption is not a member of G 2t , contradicting that for all 
m, T k2 T kl (m) = T k (m). 

Case 2: j=2. The output of the first round of T k is an element of G 2t . 
Thus the input to round 2 is an M <G G 2t . Let M^denote the left t nits of 
M, and M r the right t nits. Let E(M r ) be the expansion of the right half 
to an (i + j)-n sequence from G. Then M 1 = E(M r ) © k 2 has an entry from 
H \ G as it is a group element of H obtained from the group operation of 
an element of the subgroup G with an element not in G. 

But then M 1 points, for some S-box R p either at a row beyond the \G l \- 
th, or at a column beyond the |G J |-th. By the construction of the expanded 
S-boxes over H, the return from this S-box consists of j-nits including some 
from H \ G. Thus the return from the S-boxes is an element of H l \G\ 
say e. But then Mi © e still is a member of H l \ G l as G is a subgroup 
of H. Since this is the right half of the output from the second round of 
the encryption using the key k, it follows that T k (m) € H 2t \ G 2t , and thus 
Tk 2 Tk 1 (m) ^ Tfc(m), a contradiction. 

It follows that set of encryption permutations of HDES^ with the S-boxes 
Ri, ■ ■ ■ , R n does not constitute a group. 

The following corollary follows directly from the previous theorem. 

Corollary 16. Let G be an arbitrary finite group. If there is an S-box set 
for GDES^ encryption permutations do not constitute a group, then for any 
finite group H there is an S-box set such that the set of UDES^ encryption 
permutations where U = G x H do not constitute a group. 

Note that the last \H\ l — \G\ l rows of the S-boxes R±, • • • , R n appearing 
in the proof of Theorem [15] do not contain any members of G 3 , and thus are 
not permutations of members of H 3 . We conjecture that expansions of the 
original set n of S-boxes can be found such that if the rows of the original 
S-boxes were permutations of G 3 , then the rows of the expanded S-boxes 
will be permutations of H 3 , and the theorem would hold. 

7. Conclusions and future work 

This paper is a study of DES-like ciphers over arbitrary finite groups. We 
introduced a new simplified version of DES based on the finite group Z3. We 
showed that its set of encryption permutations does not form a group under 
functional composition. Corollary [9] indicates that this result is not particu- 
lar to the underlying group Z3. Theorem [8] shows that this conclusion holds 
for arbitrary finite groups. Our proof of this fact deviates from former com- 
putationally intensive methods by being a purely deductive proof. Before 
we discovered our deductive proof we also used the cycling closure test as 
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was used in the case of DES for the same question. All examples of DES-like 
cryptosystems are based on commutative groups. Though Theorem [8] ap- 
plies also to this case, we have not yet explored potential new complications 
that may arise when a version of DES is based on a non-commutative group. 

The group generated by this simplified DES cipher is not the alternating 
group as opposed to the group generated by the one-round functions of the 
classical DES and other block ciphers that generate the alternating group. 
It would be interesting to determine which finite groups can be the group 
generated by the set of encryption permutations of a DES-like cipher. 

We showed that the ra-round Feistel networks, n < 6 with one-to-one 
round functions "do not form a group" i.e. the set of such Feistel permuta- 
tions do not form a group under functional composition. It will be useful to 
know whether one can extend this result to hold for any number of rounds 
and based on any group operation in the underlying Feistel network. Our 
results motivate a need for re-examining the DES-like ciphers to determine 
the extent to which the old results hold when we consider arbitrary finite 
algebraic structures. 

References 

[I] G. Abdelmouez, F. S. Helail, and A. A. Elkouny, New DES based on Elliptic Curves, 
World Academy of Science, Engineering and Technology 63 (2010), 128-132. 

[2] L. Babinkostova, A. M. Bowden, A. M. Kimball, K. Williams, Algebraic Structures 
and Block Ciphers, (in preparation). 

[3] L. Babai, The probability of generating the symmetric group, Journal of Combina- 
torial Theory 52 (1989), 148-153. 

[4] E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, 
Springer Verlag, (1993). 

[5] D.K. Branstead, J. Gait, S. Katzke, Report of the Workshop on Cryptography in Sup- 
port of Computer Security, National Bureau of Standards, NBSIR 77-1291, (1977). 

[6] E.F. Brickell, J.H. Moore and M.R. Purtill, Structure in the S-boxes of the DES, 
Proceedings on Advances in Cryptology (1983), 3-8. 

[7] K. W. Campbell and M.J. Wiener, DES is not a Group, Crypto '92, 512-520. 

[8] G. Carter, E. Dawson, and L. Nielsen, A Latin Square variation of DES, Proceeding 
of Workshop on Selected Areas of Cryptography, (1995). 

[9] N.T. Courtois, G. Castagnos and L. Goubin, What do DES S-boxes Say to Each Other?, 
IACR Cryptology ePrint Archive, (2003). 

[10] D. Coppersmith, The Data Encryption Standard (DES) and its strength against at- 
tacks, IBM Journal of Research and Development, Vol. 38 (1994), 243-250. 

[II] D. Coppersmith and E. Grossman, Generators for Certain Alternating Groups with 
Applications to Cryptography, SIAM Journal on Applied Mathematics Vol.29 
(1975), 624-627. 

[12] J.D. Dixon, The probability of generating the symmetric group, Mathematics Z. 110 
(1969), 199-205. 

[13] S. Even and O. Goldreich, DES-Like Functions Can Generate the Alternating Group, 
IEE Transactions on Information Theory, Vol.29 (1983), 863-865. 

[14] H. Feistel, Cryptography and Computer Privacy, Scientific American, Vol. 228 
(1973), 15-23. 

[15] J. A. Gallian, Contemporary Abstract Algebra, Huston Mifflan Company, (1992). 



A SIMPLIFIED AND GENERALIZED TREATMENT OF DES RELATED CIPHERS 23 



[16] B.S. Kaliski, R.L. Rivest, and A.T. Sherman, Is the Data Encryption Standard a 
Group? (Results of Cycling Experiments on DES), Journal of Cryptology, Vol. 1 
(1988), 3-36. 

[17] B.S. Kaliski, R.L. Rivest, and A.T. Sherman, Is DES a pure cipher?, Crypto '85, 
212-226. 

[18] J. Konikoff and S. Toplosky, Analysis of Simplified DES Algorithms, Cryptologia, 
Vol. 34 (2010), 211-224. 

[19] M. Luby and C. Rackoff, How to construct pseudorandom permutations and pseudo- 
random functions, SIAM Journal of Computing, 17(2), (1988), 373-386. 

[20] A. Marioti and M. C. Tamburini, Bounds for the probability of generating the sym- 
metric and alternating groups, Archiv der Mathematik, Vol. 96 (2011), 115-121. 

[21] W. Mao, Modern Cryptography: Theory and Practice, Prentice Hall, (2003). 

[22] L. Miller, Generators of the Symmetric and Alternating Group, The American 
Mathematical Monthly, Vol. 48, (1941), 43 - 44. 

[23] S. Patell, Z. Ramzan and G. S. Sundaram, Luby-Rackoff Ciphers: Why XOR Is Not 
So Exclusive, Lecture Notes in Computer Science, Vol. 2595, (2001), 271-290. 

[24] G. Piret, LubyRackoff Revisited: On the Use of Permutations as Inner Functions of 
a Feistel Scheme, Designs, Codes and Cryptography Vol. 39 (2006), 233-245. 

[25] E. F. Schaefer, A Simplified Data Encryption Standard Algorithm, Cryptologia, Vol. 
20 (1996), 77-84. 

[26] C. E. Shannon, A Mathematical Theory of Communication, Bell System Technical 
Journal, 27 (1948), 379-423. 

[27] W. Trappe and L. C. Washington, Introduction to Cryptography with Coding Theory, 
Pearson Education, (2006). 

[28] Data, Encryption Standard, Federal Information Processing Standards Publications, 
U.S. Department of Commerce/National Institute of Standards and Technol- 
ogy, (1977). 

[29] R. Wernsdorf, The One-Round Functions of the DES Generate the Alternating Group, 
Eurocrypt '92, 99-112. 



Department of Mathematics, Boise State University, Boise ID 83725 

2 Department of Mathematics, Loyola Marymount University, Los Angeles, CA 
90045 

3 Department of Mathematics, University of Western Carolina, Cullowhee, NC 
28723 



21. BABINKOSTOVA ^ , A. M. BOWDEN 2 *, A. M. KIMBALL 3 *, AND K. J. WILLIAMS 1 * 

Appendix A. Cycling Experiments 

Orbit Test: The closure experiment for Z 2 DES§, Z 3 DES§, Z 7 DES§, and 
ZnDESg with random S-boxes, initial and final permutation and expansion 
function that meet their standard architectural requirements of Feistel based 
cryptosystems. 





Table 2: Computing 
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Table 3: Purity experiment for E-DES 
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Small subgroup experiment for E-DES 
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